Re: [openpgp] rfc3880bis - hard expiration time

On Mon, 2015-04-27 at 16:51 +0200, Dominik Schuermann wrote: 
> 2,5 years on average until a key expires, even if you would argue
> setting the expiry time to 6 month, it's enough time for an attacker
> to misuse the key, I just don't see attack scenario prevented by
> having expiration dates.
What speaks against keys that are just used e.g. for some weeks? You
could have them signed by other long-term keys, which are kept on
offline systems and are thus "more secure".


> Thus, hard expiration
> makes no sense in my model.
Well as said before, just because you or I don't use a certain scenario
doesn't mean that it's invalid for everyone else.


> Using 512 bit RSA keys should be rejected by the client software, no
> need to place expiration dates inside the key.
And what has the one thing to do with the other?
You could have created a 4096 bit RSA key 4 years ago, it would still be
considered "safe", even though the real owner may have abandoned it
and/or it may have been compromised long ago.
Since revocations are per se blockable, the peers of the key owner may
continue to use it forever.


Cheers,
Chris.

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp